Read of memory location 0x7ffe0000 in windows NT

Laurent Pinchart laurent.pinchart at skynet.be
Mon Apr 1 16:11:09 CST 2002


Hi everybody,

I've stumbled accross some code which reads a dword at memory location 
0x7ffe000, which causes the program to crash and the wine debugger to start.

After some investigation, it seems that reading the memory location 
0x7ffe0000 should return KeTickCount.LowPart to the user process. Has anyone 
ever heard about that ? I was wondering if it was a native windows NT 
behaviour, or if it was done by a special kernel-space exception handler 
installed by the program.

The assembly code which does the trick is

pusha
mov	$0x7ffe0000,%edx
mov	(%edx),%eax
mov	%eax,0xfffffffc(%ebp)
popa
mov	0xfffffffc(%ebp),%eax

Any idea anyone ?

Thanks for your help.

Laurent Pinchart





More information about the wine-devel mailing list